Business Continuity Planning Disaster Recovery Planning - PowerPoint PPT Presentation

1 / 38
About This Presentation

Business Continuity Planning Disaster Recovery Planning


Business Continuity Planning Disaster Recovery Planning * Vulnerabilities? Improper access to data - controls not granular enough Invalid data - Update permitted to ... – PowerPoint PPT presentation

Number of Views:294
Avg rating:3.0/5.0
Slides: 39
Provided by: bestitdo2


Transcript and Presenter's Notes

Title: Business Continuity Planning Disaster Recovery Planning

Business Continuity PlanningDisaster Recovery
  • A Business Continuity Plan (BCP) is an approved
    set of advanced arrangements and procedures that
    enable an organization to
  • Facilitate the recovery of business operations to
    reduce the overall impact of an event, while at
    the same time resuming the critical business
    functions within a predetermined period of time.
  • Minimize the amount of loss.
  • Repair or replace the damaged facilities as soon
    as possible.
  • Traditionally, recovery plans focused on the
    recovery of critical computer systems running at
    data centers (aka disaster recovery).
  • Today, recovery plans must also focus on the
    critical computer systems operating in a
    distributed environment involving PCs, LANs,
    telecommunications, etc.
  • Essentially, continuity plans address every
    critical function of an enterprise.

  • A disaster is something that interrupts normal
    business processing.
  • A disaster is defined as a sudden, unplanned
    calamitous event that brings about great damage
    or loss.
  • In the business environment, it is any event that
    creates an inability to support critical business
    functions for some predetermined period of time.

Reasons for BCP
  • It is better to plan activities ahead of time
    rather than to react when the time comes
  • Proactive rather than Reactive
  • Take the correct actions when needed
  • Allow for experienced personnel to be absent
  • Maintain business operations
  • Saves time, mistakes, stress and
  • Keep the money coming in
  • Short and long term loss of business
  • Have necessary materials, equipment, information
    on hand
  • Planning can take up to 3 years
  • Effect on customers
  • Public image
  • Loss of life

BCP Requirements
  • Provide an immediate, accurate and measured
    response to emergency situations.
  • Provide procedures and a listing of resources to
    assist in the recovery process.
  • Identify vendors that may be needed in the
    recovery process and put agreements in place with
    selected vendors.
  • Avoid confusion experienced during a crisis by
    documenting, testing and training plan
  • Clear guidance for declaring a disaster.

BCP Requirements
  • Provide the necessary direction to ensure the
    timely resumption of critical services.
  • Document storage, safeguarding and retrieval
    procedures for critical systems and supporting
  • Describe the actions, resources and materials
    required to restore critical operations at an
    alternate site in the event that the primary
    site(s) has suffered a serious outage.
  • Document recovery procedures so they can be
    executed by knowledgeable people.

Developing the BCPProject Management and
  • Determine the need for automated data collection
    tools, including plans to provide training on how
    to use the software.
  • Establish members of the BCP team, both technical
    and functional representatives.
  • Prepare and present an initial report to
    management on how the BCP will meet the

Developing the BCPProject Management and
  • Automated plan development can help you
  • Speed the process
  • Avoid missing critical elements
  • Organize teams
  • Maintain the plan

Developing the BCPProject Management and
  • Team Members
  • BCP Planner/Coordinator
  • Senior management, CFO, etc.
  • Legal, HR
  • Business unit/functions
  • Recovery team leaders
  • InfoSec, Telecomm, etc.
  • The same people who would be responsible for
    executing the plan in the event of an outage must
    also be involved in preparing the BCP

Developing the BCPBusiness Impact Analysis (BIA)
  • The BIA is a functional analysis that identifies
    the impacts should an outage occur. Impact is
    measured by the following
  • Allowable business interruption - the maximum
    tolerable downtime (MTD)
  • Financial and operational considerations
  • Regulatory requirements
  • Organizational reputation
  • The BIA sets the stage for determining a
    business-oriented judgment concerning the
    appropriation of resources for recovery planning

Developing the BCP - BIA
  • Impact Assessment
  • Purpose
  • Identify risks
  • Identify business requirements for continuity
  • Quantify impact of potential threats
  • Balance impact and countermeasure cost
  • Establish recovery priorities

Developing the BCP - BIA
  • Benefits
  • Relates security objectives to organization
  • Quantifies how much to spend on security measures
  • Provides long term planning guidance
  • Site selection
  • Building design
  • HW configuration
  • SW
  • Internal controls
  • Criteria for contingency plans
  • Security policy
  • Protection requirements
  • Significant threats
  • Responsibilities

Developing the BCP - BIA
  • Risk Assessment
  • Potential failure scenarios
  • Likelihood of failure
  • Cost of failure (loss impact analysis)
  • Dollar losses
  • Additional operational expenses
  • Violation of contracts, regulatory requirements
  • Loss of competitive advantage, public confidence
  • Assumed maximum downtime (recovery time frames)
  • Rate of losses
  • Periodic criticality
  • Time-loss curve charts

Developing the BCP - BIA
  • Risk Assessment/Analysis
  • Potential failure scenarios (risks)
  • Likelihood of failure
  • Cost of failure, quantify impact of threat
  • Assumed maximum downtime
  • Annual Loss Expectancy
  • Worst case assumptions
  • Based on business process model? Or IT model?
  • Identify critical functions and supporting
  • Balance impact and countermeasure cost
  • Key
  • Potential damage
  • Likelihood

Developing the BCP - BIA
  • Definitions
  • Quantitative Risk Analysis
  • quantified estimates of impact, threat frequency,
    safeguard effectiveness and cost, and probability
  • Powerful aid to decision making
  • Difficult to do in time and cost
  • Qualitative Risk Analysis
  • minimally quantified estimates
  • Exposure scale ranking estimates
  • Easier in time and money
  • Less compelling
  • Risk Analysis is performed as a continuum from
    fully qualitative to less than fully quantitative

Developing the BCP - BIA
  • Goals
  • Understand economic operational impact
  • Determine recovery time frame (business/DP/Network
  • Identify most appropriate strategy
  • Cost/justify recovery planning
  • Include BCP in normal decision making process

Developing the BCP - BIA
  • Risk Analysis Steps
  • 1 - Identify essential business functions
  • Dollar losses or added expense
  • Contract/legal/regulatory requirements
  • Competitive advantage/market share
  • Interviews, questionnaires, workshops
  • 2 - Establish recovery plan parameters
  • Prioritize business functions

Developing the BCP - BIA
  • Risk Analysis Steps
  • 3 - Gather impact data/Threat analysis
  • Probability of occurrence, source of help
  • Document business functions
  • Define support requirements
  • Document effects of disruption
  • Determine maximum acceptable outage period
  • Create outage scenarios

Developing the BCP - BIA
  • Risk Analysis Steps
  • 4 - Analyze and summarize
  • Estimate potential losses
  • Destruction/theft of assets
  • Loss of data
  • Theft of information
  • Indirect theft of assets
  • Delayed processing
  • Consider frequency
  • Combine potential loss probability
  • Magnitude of risk is the ALE (Annual Loss
  • Guide to security measures and how much to spend

Developing the BCP - BIA
  • Maximum tolerable downtime (MTD)

Developing the BCPRecovery Strategies
  • Business Recovery
  • Focus is on the critical resources and the
    maximum tolerable downtime for each
    business/support unit system. This may included
    identification of
  • Critical IT system hardware, software and data
  • Critical equipment, supplies, furniture and
    office space
  • Key personnel for each business unit and support
    unit, such as Operations, Facilities, InfoSec,

Developing the BCPRecovery Strategies
  • Facility and Supply Recovery
  • Focus is on restoration and recovery, such as
  • Facility - main building, remote facilities
  • Inventory - supplies, equipment, paper, forms
  • Equipment - network environments, servers,
    mainframe, PCs, etc.
  • Telecomm - voice and data
  • Documentation - application, technical materials
  • Transportation - movement of equipment, personnel
  • Supporting equipment - HVAC, safety, security

Developing the BCPRecovery Strategies
  • User Recovery
  • Focus is on personnel requirements, such as
  • Manual procedures
  • Vital record storage (i.e., medical, personnel)
  • Employee transportation
  • Critical documentation and forms
  • User workspace and equipment
  • Alternate site access procedures
  • User Recovery (continued)
  • Procedures for the organizations employees to
    follow during the outage include items such as
  • Team responsibilities
  • Distribution of information
  • Manual processing techniques
  • Disaster policies
  • Notification procedures
  • High priority tasks
  • Emergency accounting
  • Checklists

Developing the BCPRecovery Strategies
  • Operational Recovery
  • Determine the necessary equipment configurations
    such as
  • Mainframes, LANs, PCs, peripherals
  • Explore opportunities for integration/consolidatio
  • Usage parameters
  • Data communications configurations include
  • Switching equipment, routers, bridges, gateways

Developing the BCPRecovery Strategies
  • Operational Recovery (continued)
  • Outline alternative strategies for technical
    capabilities, such as network infrastructure
    components. Options include
  • Hot site, warm site, cold site, mobile site
  • Reciprocal or mutual aid agreements
  • Multiple processing centers
  • Service bureaus

Developing the BCPRecovery Strategies
  • Software and Data Recovery
  • Focus is on the recovery of information - the
    data. Options include
  • Backing up and off-site storage
  • Electronic vaulting
  • Online tape vaulting
  • Remote journaling
  • Database shadowing
  • Standby services
  • Software escrow
  • Manuals and documentation
  • Backup frequency - criticality and rate of change

lt P V expense of backup P probability
of loss V cost of recreating lost data
Developing the BCPRecovery Strategies
  • Software and Data Recovery (continued)
  • Security and controls of backup data and
  • While being transported to the offsite facility
  • While stored at the offsite facility
  • Backup site may need even better protection than
    primary site
  • Data at backup facility is not accessed very
  • Problems could go undetected for a long time
  • Consider encryption of backup data
  • Too much processing overhead?
  • Bank of America lost backup tapes

Developing the BCPPlan Design and Development
  • In this phase the team prepares and documents a
    detailed plan for recovery of critical business
  • End products include
  • Business and service recovery plans
  • Test method descriptions
  • Restoration plans
  • Plan maintenance programs
  • Employee awareness and training programs

Developing the BCPPlan Design and Development
  • 1. Determine management concerns and priorities.
  • 2. Determine planning scope such as geographical
    concerns, organizational issues, and the various
    recovery functions to be covered in the plan.
  • Establish outage assumptions.
  • Identify response procedures, such as ensuring
    evacuation and safety of personnel, notification
    of disaster, initial damage assessment,
    activating teams and relocating to alternate
  • . Identify resumption strategies for
    mission-critical and non-mission-critical systems
    at alternate sites.
  • 6. Identify the location for the emergency
    operations center/command center.
  • 7. Identify restoration procedures for salvage,
    repair and return to the primary site. Also, the
    procedures to deactivate the recovery site

Developing the BCPPlan Design and Development
  • 8. Plan and implement the gathering of data
    required for plan completion.
  • Personnel information
  • Vendor services
  • Equipment, software, forms, supplies
  • Vital records
  • Technical information
  • Office space requirements

Developing the BCPPlan Design and Development
  • 9. Review and outline who (and how) the
    organization will interface with external groups.
  • Customers
  • Shareholders
  • Civic officials
  • Community, region, and state emergency services
  • Utility providers
  • Industry group coalitions
  • Media

Developing the BCPPlan Design and Development
  • 10. Review and outline how the organization will
    cope with other complications beyond the actual
  • Responsibility to families
  • Coordination with human resource and legal
  • Fraud opportunities
  • Exposure of sensitive data
  • Looting and vandalism
  • Ensuring primary site is protected during
  • Safety and legal problems
  • Expenses exceeding emergency manager authority
  • Insurance coverage and timing of claim payment

Developing the BCPPlan Design and Development
  • 11. Develop support service plans, including
    human resources, public relations,
    transportation, facilities, IT, telecomm, etc.
  • 12. Develop business function plans and
  • 13. Develop facility recovery (i.e., the
    building) plans.

Plan Testing
  • Proves feasibility of recovery process
  • Verifies compatibility of backup facilities
  • Ensures adequacy of team procedures
  • Identifies deficiencies in procedures
  • Trains team members
  • Provides mechanism for maintaining/updating the
  • Upper management comfort

Plan Testing
  • Desk checks/checklist
  • Structured walkthroughs
  • Simulations
  • Parallel tests
  • Full interruption tests

Plan Maintenance
  • Develop processes that maintain the currency of
    continuity capabilities and the BCP document in
    accordance with the organizations strategic
    direction. This includes
  • Changing management procedures
  • Resolving problems found during testing
  • Building maintenance procedures into the process
  • Centralizing responsibility for updates
  • Reporting results regularly to team members

Plan Maintenance
  • Plan maintenance functions are
  • Receive and monitor input on needed revisions -
    maintain revision history
  • Plan maintenance reviews as needed
  • Monitor changes within business units, such as
    upgrades to systems
  • Control plan maintenance distribution - who
    receives a copy of plan updates
  • Ensuring version control - obsolete editions of
    the plan are collected and destroyed.

Awareness and Training
  • The goal is to design and develop a program to
    create corporate awareness and enhance the skills
    required to develop, implement, maintain and
    execute the plans.
  • The objectives should cover a range of outcomes
    from simple awareness of the major provisions to
    the ability to carry out specific procedures.
  • Train the teams used for recovery strategies.
  • Train those employees who will have specific
    roles in the recovery process, such as systems
    staff, team leaders, etc.
Write a Comment
User Comments (0)